Introduction to CPIX¶
Table of Contents
CPIX is an open specification developed by DASH-IF that offers support for all major DRM systems and playout formats. The idea behind CPIX is that it provides an interoperable, XML-based format to exchange content protection configurations between different systems that need to interact within a video streaming setup. USP follows the CPIX 2.2 specification.
Ideally, a DRM provider supplies a CPIX document, which can then be used as input for the Unified Streaming Platform; see Command-line options for specifying CPIX document URLs for the various contexts in which you can use a CPIX document. If your DRM provider does not (yet) supply a CPIX document, it is possible to create one yourself.
The use of CPIX documents in combination with non-CPIX based DRM options in a single server manifest is not supported.
There is no support for encryption, decryption and signing of CPIX documents or DRM keys as for instance outlined in sections 4.3.2 or 4.3.5 of the CPIX 2.2 specification. HTTPS should be used and if needed basic auth or digest may be added through the use of a proxy.
Minimum info necessary¶
To create a CPIX document, the minimum information necessary is:
- Must have a Key ID (KID) used to identify the content and associate it with a (secret) Content Encryption Key.
- May have a Content Encryption Key (CEK), which is used to encrypt the content.
- Must have a System ID which represents a specific DRM system such as Microsoft PlayReady (see DASH-IF DRM system IDs).
- Must have a Key ID which must refer to an existing Content Key's KID.
- Optionally has a Protection System Specific Header (
PSSH). Depending on the DRM system, contains protection information such as such as licenses, rights, and license acquisition information.
- Optionally has
ContentProtectionDataused for signaling DRM in the MPEG-DASH playout manifest.
- Optionally has
HLSSignalingDataused for signaling DRM in the Apple HLS Manifest.
- Optionally has
SmoothStreamingProtectionHeaderDataused for signaling DRM in the Microsoft Smooth Streaming playout manifest.
- Optionally has
HDSSignalingDataused for signaling DRM in the HTTP Dynamic Streaming playout manifest.
Minimal CPIX example¶
The following example shows a minimal CPIX document:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
<?xml version='1.0' encoding='UTF-8'?> <CPIX xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:dashif:org:cpix" xsi:schemaLocation="urn:dashif:org:cpix cpix.xsd"> <ContentKeyList> <ContentKey kid="e82f184c-3aaa-57b4-ace8-606b5e3febad"> <Data> <pskc:Secret> <pskc:PlainValue>wvr2bihSzExKdR8KKpQf2w==</pskc:PlainValue> </pskc:Secret> </Data> </ContentKey> </ContentKeyList> <DRMSystemList> <!-- Widevine --> <DRMSystem kid="e82f184c-3aaa-57b4-ace8-606b5e3febad" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"> <PSSH>AAAAMnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABIiCnVzcHd2dGVzdDNI49yVmwY=</PSSH> <ContentProtectionData /> <HLSSignalingData /> </DRMSystem> </DRMSystemList> </CPIX>
- The document's
<ContentKeyList>contains a single
<ContentKey>element with key ID
- The base64-encoded CEK for this key ID is
- The document's
<DRMSystemList>contains a single
<DRMSystem>element. It is used for the
<ContentKey>element above (
e82f184c-3aaa-57b4-ace8-606b5e3febad) in combination with the Widevine (
edef8ba9-79d6-4ace-a3c8-27dcd51d21ed) DRM system (line 14).
- The base64-encoded PSSH DRM information for Widevine is listed in line 15.
- Both the
<HLSSignalingData>elements listed in lines 16 and 17 are left empty. This tells USP to generate the required signaling when an MPEG-DASH manifest or HLS playlist is requested. For the full list of supported generated signalings, see Using implicitly generated signaling. Alternatively, the signaling can be explicitly specified in the CPIX document; see Using explicitly specified signaling.
- This CPIX document does not contain a
<ContentKeyUsageRuleList>element, which is used to limit the use of a specific
<ContentKey>based on track characteristics (see Using DRM with Multiple Keys), by timespan (see Using DRM with Key Rotation (HLS TS Only)), or both. The absence of any usage rules implies that a query of this document for encryption information will always select the only content key it contains.
- It is possible to explicitly signal a Key Initialization Vector (IV) by
explicitIVattribute to a
<ContentKey>element. The primary use of this is to enable the use of DRM systems that associate a single IV with each CEK and whose DRM client implementations are unable to extract the IV from the content, requiring the license server to deliver the IV together with the CEK upon request. Use of this attribute is not recommended except for compatibility with such DRM systems.
- If you work with pre-encrypted content, it is not necessary to provide a CEK in your CPIX document as the platform only requires a CEK to encrypt content and not for generating the necessary signaling.
As stated above, a CPIX document may contain a
that consists of a list of
<ContentKeyUsageRule> elements. Usage rules
limit the applicability of a particular
<ContentKey>, identified by the
kid attribute, to a specific track or timespan.
<ContentKeyUsageRule> element contains a number of filtering
elements. There are different types of filtering elements; most filter
limit the use a content key to a particular track as described in
Using DRM with Multiple Keys. A
<KeyPeriodFilter> limits to use of
a content key to a particular timespan; see Using DRM with Key Rotation (HLS TS Only) for
<LabelFilter> element from the CPIX 2.2 specification is not
Your CPIX document must be unambiguous; be sure to configure your filtering rules such that at most one content key is selected.
In order to make the creation of CPIX documents easier we provide two tools to create them:
- pycpix - a Python library for working with CPIX 2.2 documents
- cpix-gen - a CPIX generator tool - a fully installed, dockerised version of pycpix.
To create a simple CPIX document with a single key:
import cpix full_cpix = cpix.CPIX( content_keys=cpix.ContentKeyList( cpix.ContentKey( kid="0DC3EC4F-7683-548B-81E7-3C64E582E136", cek="WADwG2qCqkq5TVml+U5PXw==" ) ), drm_systems=cpix.DRMSystemList( cpix.DRMSystem( kid="0DC3EC4F-7683-548B-81E7-3C64E582E136", system_id="EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED", pssh=("AAAAxnBzc2gBAAAA7e+LqXnWSs6jyCfc1R0h7QAAAAINw+xPdoNUi4HnPGT" "lguE2FEe37S9mVyu9EwbOfPNhDQAAAIISEBRHt+0vZlcrvRMGznzzYQ0SEF" "rGoR6qL17Vv2aMQByBNMoSEG7hNRbI51h7rp9+zT6Zom4SEPnsEqYaJl1Hj" "4MzTjp40scSEA3D7E92g1SLgec8ZOWC4TYaDXdpZGV2aW5lX3Rlc3QiEXVu" "aWZpZWQtc3RyZWFtaW5nSOPclZsG") ) ) )
This can then be printed (or saved to disk) as a formatted XML document:
<?xml version='1.0' encoding='utf-8'?> <CPIX xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:dashif:org:cpix" xsi:schemaLocation="urn:dashif:org:cpix cpix.xsd"> <ContentKeyList> <ContentKey kid="0dc3ec4f-7683-548b-81e7-3c64e582e136"> <Data> <pskc:Secret> <pskc:PlainValue>WADwG2qCqkq5TVml+U5PXw==</pskc:PlainValue> </pskc:Secret> </Data> </ContentKey> </ContentKeyList> <DRMSystemList> <DRMSystem kid="0dc3ec4f-7683-548b-81e7-3c64e582e136" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"> <PSSH>AAAAxnBzc2gBAAAA7e+LqXnWSs6jyCfc1R0h7QAAAAINw+xPdoNUi4HnPGTlguE2FEe37S9mVyu9EwbOfPNhDQAAAIISEBRHt+0vZlcrvRMGznzzYQ0SEFrGoR6qL17Vv2aMQByBNMoSEG7hNRbI51h7rp9+zT6Zom4SEPnsEqYaJl1Hj4MzTjp40scSEA3D7E92g1SLgec8ZOWC4TYaDXdpZGV2aW5lX3Rlc3QiEXVuaWZpZWQtc3RyZWFtaW5nSOPclZsG</PSSH> </DRMSystem> </DRMSystemList> </CPIX>
For installation and further details, please see either Github repository.
Using Command-line options for specifying CPIX document URLs it is possible to configure Origin to use a remote server to request CPIX documents from. As Origin runs stateless, it will request the stream's CPIX document from the remote server for each incoming request for the stream. To optimize this workflow, caching the response from the DRM server is crucial. In order to do this efficiently, you may need to configure your cache to ignore some of the query parameters that Origin sends as part of the request to the remote server (if these parameters don't affect the CPIX document that is generated, like 'start' and 'end' when not using key rotation).